[OpenID] Secure attribute transmission
Johnny Bufu
johnny.bufu at gmail.com
Sun Aug 3 21:17:04 UTC 2008
On 03/08/08 11:27 AM, Easysurfer at gmx.de wrote:
> I'd like to transmit sensitive data over the Attribute Exchange Extension and was wondering about the best way for encryption.
[...]
> Any ideas? I'd like to pass the info over using only the OpenID
> protocol, not invent another protocol for my own use.
If what you're trying to avoid is the exchange of another secret key
(and not require the RP to offer a HTTPS endpoint), then your only
option is to enforce statefull mode and use the shared association
secret to encrypt the attributes.
Otherwise, the exchange of the encryption key can be done through
attribute exchange. Working with the same assumption that RPs can't
generally afford HTTPS endpoints, the key exchange would have to be
initiated by the RP against a HTTPS OP endpoint, e.g. through a AX store
request.
Johnny
More information about the general
mailing list